How many manual tasks must a Microsoft Office 365 admin slog through, boring them to tears and resulting in errors they get blamed for, before crying ‘Uncle!’?
This pain stops by figuring out how to do a task perfectly, then automating it through a workflow so it is repeatable perfectly and safely. Then do the same for all your repeatable tasks. By automating admin tasks through workflow, which include updates to the on-premises Active Directory environment, IT administrators save hours of manual effort each week – time better spent for more productive and satisfying endeavors.
Even better, everyone can use the same workflow and do the task perfectly. No more going to the onboarding expert or scratching your head when that person leaves the company! Now common Microsoft Office 365 (now called Microsoft 365) admin tasks can be easily delegated – even to non-IT pros. This is the beauty of delegated administration.
Microsoft 365 doesn’t come with administrative workflows built-in. Fortunately, CoreView provides a workflow solution so easily created, customizable IT admin process steps can be run automatically from the CoreView workflow engine – often in one click. These automations can reach towering levels of complexity, as many different steps are chained together and performed in the appropriate and exact sequence.
All M365 management actions can be accomplished through a workflow, including custom PowerShell scripts, opening the door to unlimited automation scenarios. In fact, CoreView’s myriad workflow templates include automations for Account Management, License Management, and Security Compliance – as well as custom actions.
Workflow is critical for one CoreView customer. “We view CoreView as experts in the field that can guide us to the most pertinent parts of the M365 ecosystem and integrate best practices into workflows,” said Tobin M. Cataldo, Executive Director – Jefferson County Library Cooperative.
There are two types of workflows designed to automate the actual kick off of the workflows – truly automating the automation. These are:
Workflows can be directly executed from reports. If you have a report of a risky user, a workflow can automatically perform pre-determined actions to take care of the situation.
Instead of taking action based on the report of a risky user, a workflow can kick off when there is a risk event, such as an attack on a user.
Dealing with security alerts, as well as creating security policies, and ensuring compliance requires the creation and performance of complex repetitive tasks. That is, without workflow. Workflows make protecting the environment orders of magnitude easier. For instance, CoreView may detect that someone downloaded 1,000 files from OneDrive when they shouldn’t. With a workflow, an admin can automatically disable their account.
Microsoft 365 includes risk reports showing what events IT should look into, and in many cases, which users may have been compromised. Here is an example of a four-step workflow to use in such a case:
The new way to handle passwords is to not require regular expiration and resets – but only change passwords when there is a risk alert. While risk or event-based password changes are a great idea, execution isn’t so easy. “What CoreView has, which is completely unique in the industry, is we know that you’re on that risk report, and we can schedule the changes: Since you’re on it, I’m going to wipe your user session. In other words, log you out of all your applications. I’ll reset your password, notify the help desk, and notify IT security that Joe User was on a high-risk report for impossible travel, and please check A, B, and C before you re-initialize his account,” explained CoreView Solution Architect Matt Smith.
Like passwords, MFA can be dealt with based on risk events. “IT should enable risk-based multi-factor authentication activation. If you’re at risk, IT will make you authenticate. CoreView takes this a step further, which is part of our workflow. IT can wipe user sessions. Because a user token is good for eight hours by default, should IT allow the user to keep pounding on it for eight hours? No, IT should log them out right now, because they showed up on a high-risk report. An admin can block the account and notify IT security and the help desk because you showed up on an impossible travel report or on a malware on a device report, something like that,” Smith explained.
Mobile devices are a prevalent M365 endpoint, so security here is paramount. In fact, managing, tracking, and fixing Apple iOS and other device issues can be automated through CoreView workflows.
Case in point is a recent iOS vulnerability. To handle this, CoreView admins were given a workflow to identify iPhones with an older OS, or still using the IOS Mail App, and update iOS or move users off the iOS Mail App.
Knowing that these iOS MailDemon attacks are in the wild with millions of non-updated iPhones and countless folks using the iOS Mail App, CoreView co-founder David Mascarella rushed out a KPI to identify and delineate the issue, and an automated workflow that solves the problem tout de suite.
“I created a policy that identifies the devices affected by this vulnerability. If we select the policy that dives into the data, the system will automatically target the users that are affected. We do that by targeting all users with mobile devices, with the operating system equal to iOS, with the versions that do not include 13.5,” Mascarella explained.
The KPI and workflow then suggest management actions an operator can perform in order to disassociate these mobile devices from the tenant, and also run a workflow. “When you run the workflow, the system automatically targets all of the affected users, and sends an email — there is a description of the problem CoreView detected, that you are accessing your email with an unsafe client. You have to update your mobile device. To learn how to update your mobile device operating system, please look at this video. There is a link to a helpful video that shows how to update the device,” Mascarella said.
The workflow offers several ways to remediate the iOS problem. We mentioned sending an email advising an end user to update iOS or switch off the iOS Mail App. It can also remove the device.
Finally, the workflow can automatically enforce an iOS security policy. IT can have a report showing which devices are still not secure, and run the report, say, every Friday. If the report is empty, there is no problem. “Every Friday the system will check if we still have a user who has not updated their device. Then the system will engage the user and alert them to update their system. You can also make these workflows more active and run these workflows every day. You can also deactivate the mobile device, and remove the mobile devices and the email client,” Mascarella said.
One key way to safeguard the M365 tenant from wayward admins and dangerous mistakes is through Just-in-Time admin rights. These right can be assigned, given out, and taken back – all through simple, repeatable workflows.
User provisioning and deprovisioning are prone to error, allowing successful cloud attacks. Workflow templates easily create and automate provisioning and deprovisioning processes, eliminating these mistakes. This ensures users have the right licenses and access to the right applications and infrastructure. You can also “clone” users to reduce errors and speed provisioning.
Incorrect user provisioning can have a direct impact on user productivity, while mismanaged deprovisioning can open the doors to potential data breaches.
Onboarding and provisioning are related and complementary processes. Onboarding is much the same as provisioning. It is just more extensive. Technically, provisioning refers to the creation of the user object. Onboarding is all the stuff that takes place outside of that user creation.
Onboarding speaks to the authorizations and permissions that are then bound to the object. We might say that a provisioning action is creating the user, giving that person a license, and setting the password. The onboarding is everything else. That person now needs to be inserted into 10 distribution lists, needs to be given a pre-provisioned OneDrive share, or have a script run against them to turn on their access.
“If we have to onboard a user, we can create a fully automated workflow. Inside our own company, we have a 50 – step workflow to onboard a user – and it’s one click,” said Ivan Fioravanti, CoreView Chief Technical Officer. “I create a user, assign the Teams membership, group membership, create the mailbox, and so on – it is super easy.”
According to Gartner analyst Neil MacDonald, “Through 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.”
In fact, a large number of data breaches are because admins did not complete all required configuration steps, and misconfiguration arises. With a workflow based on a proven and perfected configuration process, regardless of what is being configured, mistakes are never made again.
CoreView workflow eliminates that human error and ensures that all the dependencies are met. Moreover, it guarantees that desired configuration management practices are met which is critical for setting up user accounts and other data assets like mailboxes, shared mailboxes, and Teams channels.
Gartner finds that most successful cloud attacks exploit misconfiguration. Once you have a secure approach to configuration, map it to a workflow so it is done properly each time.
Customizable IT admin processes can be run from the workflow engine. Steps can be chained together so they are performed in the proper sequence. All management actions can be part of a workflow, including custom PowerShell scripts, leading to unlimited scenarios.
From CoreView usage stats, we have found that 90% of external users become inactive after 90 days. With automation, you can automatically block access and remove the user, or ask consent of the person or the manager who invited them. Any active account is an additional endpoint opened on your tenant.
Workflow automation also identifies external users inactive in the last 60 days and automatically starts a process of cleanup with approval. Another workflow forces employees to add detailed information when an external user is invited such as department, company, manager, country, and validity. Workflow will take care of removing the invited user or renew them based on a customizable approval process. CoreView automation can also be used to identify external users inactive in the last 60 days and automatically start a process of cleanup with approval.
Adding Workflow automation to the external user equation makes it faster, easier and safer to perform external user processes. Chief Technology Officer Ivan Fioravanti detailed how CoreView does this work. “Maybe you do not want the M365 operator to go manually through all the external users. A second way is to run a workflow. Built into the platform we have Workflow, which does business process automation,” Fioravanti said.
Meanwhile, workflow scheduling is flexible and easy. “Maybe we want a Monday morning habit of dealing with external users. You can schedule the ‘Inactive External User’ report, and have IT alerted if it is not empty. So you choose every week. The action is that the workflow will automatically execute and send an email to the manager asking to remove the external user. You can always re-invite an external user that has been removed,” Fioravanti said.
Workflow adds to external user security. “Everything is extremely secure. You can create a workflow that will only be visible to specific users, specific operators of the platform. Using RBAC and virtual tenants, only that operator can see and use that workflow,” Fioravanti said.
Managing Active Directory and Azure Active Directory (AD) is a constant and complex effort. Fortunately, common Active Directory tasks, whether Azure AD or on-premises Active Directory, can be automated, ensuring they are done correctly and on time.
By automating admin tasks through workflow, which includes updates to the on-premises Active Directory environment, IT administrators will save hours of manual effort each week. One customer automates an array of directory-related tasks, including:
Policies are key to M365 administration efficiency and security. Wouldn’t it be great to create, automate and apply policies that handle every aspect of Microsoft Office 365 administration? As well as supporting fine-tuned security policies and automated implementation?
You can. The same large CoreView customer referenced above uses myriad workflows for policies, including:
Results with CoreView
It is not reasonable to expect a non-expert in Microsoft 365 administration to understand the dependencies involved in a task. Take mailbox administration. You have to create a user before you can create a mailbox, which seems obvious. However, there are many layers of subtleties beneath that. You need to wait until the mailbox is fully created before setting a litigation hold or retention policies on it, and so forth.
Workflow gets all these dependencies right, and even puts in the requisite waits and retries, which are important because M365 is a shared environment of well over 300 million users. Things do not often happen instantaneously within a system as large as Microsoft 365. To set up mailboxes right, you have to know the exact commands to operate, and the order that they needed to be operated in. In practice, people sometimes start the task and then have to wait – 15, 30 minutes, an hour – for, say, step three of seven to complete. So they switch to another task, and critical step number four never gets finished due to human error.
A workflow can be designed to know all the intricacies and dependencies – and get the job done right.
Workflow is also key to solving the Teams configuration problem. To set up Teams properly, certain tasks must be performed in order. In the case of Teams, a higher-level admin can create workflows to set up Teams-oriented voice functions such as routing and provide that to local employees that simply apply those workflows and those processes to their own individual environments.
With CoreView workflow, these local workers or admins get a form to fill out instead of waiting on a person to execute on that form. CoreView workflow automates the process so it is much timelier, and more straightforward. IT defines exactly what data is needed to process the request, and CoreView workflow processes that request efficiently and precisely.
A person needing to set up Teams’ voice features in Spain, for instance, could use a form provided by higher level admin, and apply that to setting up call features such as auto attendant for their organization, department, or group of users. Even better, this workflow is available on demand, 24 hours a day, seven days a week in their language. There is no need to pick up the phone or translate user requests.
License management is a complex, but necessary task. A great approach is to create and automate a process to reclaim licenses when a user becomes inactive, or ask approval from the manager or IT, or to start the process to buy additional licenses, OR automate the request to your LSP through a workflow when a usage threshold is reached.
Here is an example of such as scheduled workflow. Every month it targets users with inactive licenses in the last 90 days then:
Usually, IT does not have enough information to decide if a license must be removed or not. Managing this process manually can be very time consuming – often IT simply decides to do nothing. The workflow, on the other hand, speeds up inactive license deprovisioning by the actual manager who should know if the license must be removed or not.
Transferring a user is tricky – doing so for an admin or manager is even more thorny. The graphic below shows how easily a CoreView workflow gets the job done.
One CoreView customer has 51 different workflows (and counting). Here are some of the best: